Systems and methods for on-line backup and disaster recovery

ABSTRACT

A data recovery system includes a plurality of customer computers to be backed-up, each customer computer running a client software to communicate back-up data files; a system management platform coupled to the client software over the Internet, the system management platform receiving inputs from a web user portal to control operations of the client software and the system management platform to back up the customer computer; and two or more data storage silos, each including: a plurality of storage directors communicating with the client software; and a clustered data storage array.

FIELD OF INVENTION

The invention relates to systems and methods for disaster recoveryand/or maintaining back up files for servers on a computer network.

BACKGROUND OF THE INVENTION

As companies today become more accustomed to storing important companyinformation on their data network, the value of these networks and thedata they store continues to grow. In fact, many companies now identifythe data stored on their computer network as their most valuablecorporate asset.

Today most backup systems operate by having the network administratoridentify a time of day during which little or no network activityoccurs. During this time the network administrator turns the networkover to a backup system and the data files stored on the computernetwork are backed up, file by file, to a long term storage medium, suchas a tape backup system. Typically the network administrator will backup once a week, or even once a day, to ensure that the backup files arecurrent.

Although such a backup process may work well to create a copy of thedata stored on the network, it is a time consuming and labor intensiveprocess. Moreover, it is a cumbersome process that often isinappropriate in many environments. For example, as more and morecomputer networks begin to operate twenty-four hours a day seven daysweek, it is continuously more difficult for the system administrator toidentify a block of time during which the majority of network resourcesmay be turned over to the backup procedure. Moreover, as computerizednetwork systems begin to store more information as well as informationthat changes regularly during the course of the work day, the value of abackup system which only backups once a week or once a day is fairlyreduced. In fact many companies now rely on the corporate network tostore almost all of its business information, and the loss of even aportion of the information stored on the network during the course of aday may result in a substantial cost for the company. Accordingly,systems which only backup periodically are of a reduced value to acompany.

Computer backups are performed using several strategies. The simplestentails a complete transfer of all data and meta-data (such as timestamps, ownership, and access rights) to a target which is simple butredundantly transfers data already present on the target at potentialhigh expense. Incremental backups transferring actual changes or a moremanageable subset are also possible. Common mechanisms for determiningan appropriate increment include archive bits and modification timestamps. Archive bits are set by the operating system on any change andreset by the backup software but preclude use for multiple backupsystems and don't narrow down the types of change. Modification timestamps are set by the operating system but can sometimes be adjusted byuser software.

Transfer-mechanisms vary often involve common file formats. Such fileformats often intermix data and meta-data which make meta-dataseparation for other processing expensive. The contents of such filesare also often constrained to what's needed for a specific operatingsystem.

Many software programs implementing such backups use only one singlethread of instructions which precludes having multiple simultaneousreads and writes which speed backups with increased input/output (I/O)throughput and reduced latency effects from performing multiple IOssimultaneously to/from the same and different end-point. Parallel I/Osto the same end-point can have higher throughput when the operatingsystem and firmware can re-order them for efficiency (as on spinningmagnetic and optical disks where they can execute in physical order) oroverlap latency with command execution (notably on a network connection)to reduce its effect. Parallel I/Os to different end-points (such as anetwork target and local storage, or multiple mass storage devices likein a disk array) can approach the aggregate throughput of the devices asopposed to the average when performed serially.

Moreover, although the current backup systems work well for putting dataon to a long term storage media system, they often store datasequentially on to media, like a magnetic tape, losing the filestructure of the data, and making it difficult to retrieve informationwithout having to reinstall all the data previously stored on the tape.Thus, if a portion of the data is lost, it is often difficult to restorejust the data that was lost, and often the system administrator isforced to decide whether it is worth the cost of retrieving the lostportion of the data.

Many backup systems do not provide an easy way to validate that thebackup contents are usable (problems such as a disk or tape error canpreclude this) and match the source. U.S. Pat. No. 7,644,113 disclosessystems and methods for continuous back up of data stored on a computernetwork. The system includes a synchronization process that replicatesselected source data files data stored on the network and to create acorresponding set of replicated data files, called the target data filesthat are stored on a backup server. This synchronization process buildsa baseline data structure of target data files. In parallel to thissynchronization process, the system includes a dynamic replicationprocess that includes a plurality of agents, each of which monitors aportion of the source data files to detect and capture, at thebyte-level, changes to the source data files. Each agent may record thechanges to a respective journal file, and as the dynamic replicationprocess detects that the journal files contain data, the journal filesare transferred or copied to the backup server so that the capturedchanges can be written to the appropriate ones of the target data files.

SUMMARY

In one aspect, a back end distributed metadata store saves any types ofmetadata, even data unsupported by the underlying back end file system,in sidecar files for any type of attribute. Applications includeextended ACL's, long file names, document tags or classifications, amongothers.

In another aspect, systems and methods are disclosed for improvedBackup/Replication Performance via Locally Distributed Change Detection.Traditional backup systems talk to a central server which has a catalogof what has been backed up. The instant client software 10, as areplication solution, needs to rapidly identify what files have changed.By making the simplifying assumption that all writes to the givenreplication destination sub-tree are going through the client software,the Manifest files are a local representation of what the remote(replicated/back end) state was. Therefore, the client software only hasto compare the defined job to the manifest (avoiding network round trip)to determine what needs to be transmitted to the back end.

In yet another aspect, Asynchronous Replication Correctness Validationcan be done. Using the uploaded manifest file, metadata (and optionallyon-disk payload via hash compare) is verified and compared with theon-disk state. If a discrepancy is found, manifest is wiped or patchedand pushed down, and the next sync job resolves all discrepancies. Thissecond check is a way of performing complete end to end validation, likea restore test, without having to do an actual restore. Alternatemechanisms for asynchrony replication can be done. For example, eventdriven systems can be used to scale large files with backup driven byfinite automata. Multi-process can also be used for failure domainconstraint.

In a further aspect, the system minimizes network bandwidth used forreplication/backup. As network bandwidth is generally the key limitingresource for an Internet delivered backup or replication service, theclient software goes through a number of steps to ensure that theminimum amount of data needs to be transmitted. In one implementation,the manifest is used to identify locally what files have changed. Next,a local sub-file signature cache is consulted to detect insertions,removals, and rearrangements of data in files, so that only the changedportion of the file is transmitted. Next, the patch segments generatedare compressed with standard compression libraries, the payload isencrypted with SSL, and the payloads are transferred in 10 MB chunksover WebDAV, which an HTTP extension designed for moving large amountsof data. Additionally, multiple threads are run in parallel, overcomingslowness or limitations in TCP window scaling adjustments, or handlingnetwork “long fat,” (high latency high bandwidth) network connections.At the receiving end the WebDAV server intelligently decrypts, expandsthe patch sets, and stamps them down onto the file system. This resultsin the transfer efficiency of an incremental backup, but generates afull backup with snapshots going back in time for version history.Notably, this also results in a mountable/usable file system, as opposedto a backup “blob,” that requires processing by the backup softwarebefore it is transformed back into a usable state. This process isfollowed for each individual file (in parallel with other files. Thesystem loops over the sub file difference, patches phase to limit memoryfoot print. The system can parallelize patch processing within a singlesource file. Additionally, multiple threads are run in parallel,overcoming slowness or limitations in TCP window scaling adjustments, orhandling network “long fat,” (high latency high bandwidth) networkconnections.

In yet another aspect, simultaneous generation of a local backup on aWindows or NFS share is done for rapid restore purposes, for missioncritical or especially large files, in addition to transferring to thesystem. Doesn't require an appliance—any mountable share (or USB drive,for example) is a valid target. Efficient access to version history isavailable by using the local copy as a “seed,” and accessing snapshotdata and transmitting only the patch sets required to revert to anyparticular version.

In a further aspect, automatic provisioning of new customers or trialvolumes, including administrative account setup, storage provisioning,and enabling of billing and monitoring is all done with no human in theloop.

In another aspect, State Consistent Replication is done. By leveragingsource side snapshots (whether VSS, LVM, or on a NetApp filer), snappingthe source data, performing the sync, and then snapshotting on thesystem side results in an identical data set on the system side. This isthe same net result as products (and associated claims) such as NetAppSnapMirror or EMC Replication Manager, but operating in a very differentmechanism (the aforementioned are block based tracking). The advantageis that it supports heterogeneous storage (from any vendor to thesystem, or from any vendor to any vendor).

In a further aspect, real time billing and metrics reporting are done.The backend has a scalable system for collecting, rolling up, acting on,and displaying an arbitrary set of metrics. Current usage is forcustomer bandwidth and footprint metrics, but this can be extended overtime.

Advantages of the system may include one or more of the following. Thesystem supports off-site storage of critical data. The system providessecurity, backup time, management and most important, recovery time. Thesystem uses the cloud and client to cloud communications agents usingthe Web Distributed Authoring and Versioning (WebDAV) extension to theHTTP protocol. WebDAV allows communications between customer equipmentand the cloud data centers to be done in a rapid multi-thread mode whichallows the full available customer bandwidth to be utilized, shrinkingbackup and recovery time at the protocol level. In addition, data isde-duplicated and compressed prior to transmission, further reducingbackup and recovery time. A local copy of a file version fingerprint iskept on the customer equipment which can be used to quickly determine iffile data has changed. Incremental change data is transmitted to thecloud, further reducing transmission times. The system is highly secureand security starts with encryption of data prior to transmission and atrest. Since businesses will different views of IT's involvement in therecovery process of entire systems or a particular file version,lightweight directory access protocol (LDAP) is used to determine whohas privileges to access what. An administrator can establish theservice with LDAP for the customer defaults to that admin for access tothe customer data. After that, and depending on how much care andfeeding the IT organization wants to donate to the process, it ispossible for end users to be able to access and recover data that is,for example, on their personal laptop. Protection technology isautomated with configurable frequency and retention settings. Because ofthe communications efficiencies, the expense and management of adedicated backup appliance is not necessary. It takes about fifteenminutes to set up and establish the service. In case of a disaster, thedata is instantly available via a web browser interface. The sameinterface is used to manage all machines via a single pane. The systemmakes cloud data protection and disaster recovery feasible for themid-market with compelling features, no capital expense and low,predictable operating expenses.

Other advantages of the system may include one or more of the following.The system provides on demand storage—immediately scale according to auser's growth, compliance and user needs. The system provides a realfile system backend—replication allows for mounting. A standards basedfile protocol access is used. The system is secure—encryption end-to-endfrom the user's location to the system. Data received is hashed onreceipt and verified while stored with the system. Users can accessnative file system data directly without complicated restore process.The system is fast and can move data efficiently, leading to reducedbackup windows. The system can perform fast change detection, and theWAN-optimized software-based data mover includes bandwidth efficiencythrottling. Sub-file change detection can be done, and strong checksumsare kept on every file. Reverse incremental backup can be done through aseries of full backups that are fully versioned. Snapshots are kept forrecovery point objectives (RPO), retention schedules and compliancerequirements. Through block level snapshot deltas and sub file changedetection, the system is very space efficient. Features include:

-   -   Automated—‘set and forget’ protection    -   Automatic upgrades    -   Multi-platform support including Windows, Linux and MAC systems    -   Near instant deployment—A fully SAS based model allows customers        to start protecting data within minutes    -   Managed Service—24/7/365—The system services team proactively        managing the data protection    -   The system utilizes award-winning technology and infrastructure:    -   Web-based System Management Portal (SMP) to manage, configure        and report on data protection jobs    -   Central View—Web-based single view across all data protection        targets—remote locations, servers, end-users    -   Geographically diverse data centers to select from    -   SAS 70 Type II audited service, technology and datacenters    -   Native connectors—Enterprise connectors for Databases    -   Netapp replication

Other advantages of the system may include complete data protection tosmall and mid-sized companies by delivering each of the four componentsof data protection: online backup, disaster recovery, offsite datastorage, and compliance. Online backup is a simple and automated way tobackup the company's servers and laptops and is the first piece of thedata protection puzzle. With the system, incremental backups arecompleted quickly thanks to de-duplication and multi-threaded datatransfer over https. Disaster recovery is an important part of dataprotection—since backups are worthless if they can't be recovered. Withthe system's snapshot & replication approach, single files are just aseasy to recover as whole file systems or databases. Offsite data storageis another component of data protection that ensures data loss in thedata center or company headquarters doesn't also corrupt or destroybackup data. The system allows you an even greater level of dataprotection with the option to have the data replicated in both WestCoast and East Coast data centers.

The system has three disaster recovery solutions built-in. To recoverdata an IT professional can use: the software client, a web browser, ora mapped network drive. To recover with the software agent simply usethe “Restore Using The system Mirror” option when you right click on afile or directory from the admin interface. This is the most frequentlyused of the system's disaster recovery solutions. The web-based recoverywill be the first of the disaster recovery solutions on the prioritylist if the data center has been damaged by a fire or tornado, forexample. All it requires is logging into the system management portal,selecting the system you want to restore, then the snapshot of thatsystem you want, and then click the blue URL link. A list of files forthat system will then load in a new browser tab. Mapped network drivebased disaster recovery solutions are built into the operating systemsuch as Windows Vista and Windows 7.

BRIEF DESCRIPTION OF THE DRAWINGS

FIGS. 1A-1B show exemplary disaster recovery and back-up systems.

FIG. 2A-FIG. 2C show an exemplary data storage silo.

FIG. 3 shows an exemplary process to perform automatic provisioning ofnew customers or trial volumes.

FIG. 4 shows a block diagram of an exemplary client software withseparate processes that work in concert with each other and a pluginsmodule.

FIG. 5 shows an exemplary back end distributed metadata store processperformed by the client software 10 in one embodiment.

FIG. 6 shows an exemplary process for performing AsynchronousReplication Correctness Validation.

FIG. 7 shows an exemplary process to efficient replication of clientmachine content.

FIG. 8 shows an exemplary process to reduce data transfer for files.

FIG. 9 shows a process for state consistent replication.

FIG. 10 shows an exemplary process for data recovery.

FIG. 11 shows an exemplary real-time billing and metrics reportingprocess.

FIGS. 12A-12H show exemplary user interface screens.

FIG. 13 shows an exemplary approach for managing customer clients.

DESCRIPTION

FIG. 1A shows an exemplary disaster recovery and back-up system. Thesystem includes a plurality of client software 10. The software 10 runsnatively on customer systems and interfaces directly with the user'scomputer file system. The software 10 is able to perform network filereads and writes, change detection, snapshots, database serializationand many more backup and restore functions and is remote controlled bythe a System Management Platform 20 service over the Internet 100.

The configuration of the client software 10 is done using a web userinterface 40. Once configured, the client software 10 communicates overthe Internet 100 to the System Management Platform (SMP) 20 that acts asa central director for all activities. Configuration and user monitoringof the overall system is performed there through an overlaid HTML UI 40.Once configured the SMP 20 interfaces with agents at the client software10 to initiate backup and restore jobs and other associated tasks. Theweb interface 40 can be an HTML UI that interfaces with the SystemManagement Platform 20 and allows users to interact with the SMP 20 witha web browser to configure, monitor and manually initiate jobs. The HTMLUI also acts as a central gateway to other HTML interfaces such as a WebFile Browser hosted on the application servers.

Back up data from the client's computer is provided to storage directors30 that send the information to a data storage array 32. A metrics andbilling platform 22 communicates with the system management platform 32to bill customers. A back end monitoring system 50 ensures that systemsoperate with a predetermined uptime.

One embodiment provides cloud backup security features such as:

1. The data is encrypted both in transit and at rest.

2. The data is stored using RAIN-6 (Redundant Array of IndependentNodes) that ensure that even if two entire storage nodes go down, notjust two disks, the data is still available.

3. File level hashing to validate that all the data is free ofcorruption so it can be restored when needed.

4. Storage in SAS70 Type II data centers under audited serviceprocedures.

5. Data immutability and preservation procedures for compliance withregulations such as SEC Rule 17-4a.

6. Service Auditors to the Statements on Standards for AttestationEngagements No. 16 (SSAE-16) certified service

7. User and group level access control to limit data access.

8. Authentication and logging of all access to data.

FIG. 1B shows a second embodiment of the disaster recovery and backupsystem. In this system a plurality of data centers are provided toprovide high availability. Each data center has routers 132 thatcommunicate to load proxy machines 134 to distribute incoming requeststo a plurality of application servers 136. In one embodiment, therouting infrastructure is based on 10G technology and is redundant atevery level. In this embodiment, Load Proxy servers 134 receive incomingrequests, validate the credentials in the request against LDAP, androute them to the application server that hosts the volume. Proxies aredeployed as HA pairs. HTML based applications can be hosted here toprovide seamless access for the user using a web browser.

The servers 136 communicated with a clustered storage array 138. Theapplication servers 136 handle the bulk of the system load by providinga file system interface to the underlying data storage system 138. Mostfile system functions are provided through a WebDAV interface, butseveral custom additions were necessary to optimize the services. Theapplication server also includes SSD for read cache acceleration.Application servers are deployed in HA pairs, and “own,” one or morepools of disks, from which volumes are thin-provisioned.

Client software 110 communicates with the router 132. For management,the client software 110 also communicates with a system managementplatform (SMP) 120, which is controlled over a web interface 140. Ametrics and billing platform 122 receives usage inputs from theapplication servers 136 and the SMP 120. In one embodiment, the Metricsand billing platform 122 is a custom client/server software built upontraditional SQL DB technologies. Frequent samples of storage metrics aresaved and are available for instant and historical analysis over anytime period. The system has custom built the billing metrics systemsusing traditional SQL database methodology to produce a very reliableyet scalable system. A scalable and customizable billing infrastructureis used that allows the system to take advantage of a large number offlexible subscription billing features. An LDAP based authenticationdatabase 124 also receives input from the application servers 136. TheLDAP servers store and authenticate users for every transaction.

A back end monitoring system 150 ensures that systems operate with apredetermined uptime. The monitoring system 150 includes automatedprograms that monitor the health of thousands of individual hardware andsoftware elements within the system. In one embodiment, an anonymoussearch operation is done in a root directory of each server every tenseconds. In another embodiment, Directory Proxy Server 6.0 has a numberof properties that can be configured to monitor its backend servers. Inyet other embodiments, the monitoring system 150 includes a TCP healthmonitor that interacts with the TCP port associated with the applicationand verify that a connection could be made, signifying that anapplication was running and listening for users. A typical example wouldbe to attempt to attach to TCP port 80 of a web server. A successfulconnection to the appropriate port indicates server health that isbetter than a simple network PING that an application listens on theserver.

In one implementation, the data storage array 32 is a RAIN-based storageand protection systems that includes RAIN nodes, IP-basedinternetworking, and RAIN management software. The RAIN nodes can be 1 Uservers that provide about 1 terabyte of serial ATA (SATA) disk storagecapacity, standard Ethernet networking and CPU processing power to runRAIN and data management software. Data is stored and protected reliablyamong multiple RAIN nodes instead of within a single storage subsystemwith its own redundant power, cooling and hot-swap disk-drive hardware.The RAIN nodes are physically interconnected using standard IP-basedLANs, metropolitan-area networks (MAN) and/or WANs. This letsadministrators create an integrated storage and protection grid of RAINnodes across multiple data centers. With MAN and WAN connectivity, RAINnodes can protect local data while offering off-site protection for datacreated at other data centers. The RAIN management software lets RAINnodes continuously communicate their assets, capacity, performance andhealth among themselves. RAIN management software automatically candetect the presence of new RAIN nodes on a new network, and these nodesare self-configuring. The management software creates virtual pools ofstorage and protection capacity without administrative intervention. Italso manages all recovery operations related to one or more RAIN nodesbecoming unavailable because of RAIN node or network failures. RAINnodes do not require immediate replacement upon component failurebecause lost data is automatically replicated among the surviving RAINnodes in the grid.

In one embodiment, the data storage array 32 or 138 is a RAIN-6clustered storage array. The redundant Array of Independent Nodes (RAIN)architecture enables the system to have an entire node of disks or up to50% of hard drives fail without experiencing any difficulty or systemfailure. RAID focuses on protecting hard drives from failure, while RAINfocuses on protecting the entire node, or server, cluster from failure.With RAIN technology not only are systems protected from a single harddrive failure, but also are protected from other hardware failures suchas power supply, mother board, CPU, RAM or any other internal component.RAIN technology can protect up to 50% (n/2n) of the hard disk involvedacross all connected nodes. As more nodes are added the fault toleranceof the entire node cluster increases. More nodes mean higher performanceand availability and increased scalability. High performance is realizedby writing data first to Solid State Drives then to the SATA Drives.

On exemplary cluster architecture is built on the clustered file systemand enables multiple engine nodes to share volumes on a group of SANdevices and provides a global naming system, which evenly distributesaccess requests onto the engine nodes by running a load balancealgorithm. It also provides a set of file lockout mechanisms, ensuringthat all engine nodes can access data on the same volume. The clusterarchitecture and load balance design eliminate risks from node failures,so even when a server in a data center fails, data access service isuninterrupted.

With RAIN architecture, independent servers in the cloud make completecopies of the user's data. This data is protected because it is copiedfrom machine to machine in the cloud and the servers check that eachcopy is perfect. If one of those servers fails, user data does notdisappear. The others detect the loss and make additional copies througha process called regeneration. Most storage systems use a differentarchitecture, known as RAID, or Redundant Array ofInexpensive/Independent Disks. The RAID method does something similar toRAIN, but at the disk or machine level. The advantage with the RAINarchitecture of the cloud is that it is much more scalable: Protectionis happening at the server level, not down at the disk level. The RAINmethod is also more reliable. An entire node could fail, but a userwould still have access to his or her data because it would bereplicated on additional nodes.

The three components of the online server backup are the backup itself,system snapshots, and replication of the data offsite. The system'sserver backup solution uses the lightweight client software, withspecific plugins for file servers, Exchange, SQL, and VMware andmulti-platform support for 18 different flavors of Windows, Linux, andMac. Server backup using the client software enables automatedincremental backups with configurable retention settings.

Snapshots are Versioning-Enabled Backup copies that capture the state ofthe data at a point in time. Snapshots allow for server backup with aconsistent backup state across the entire system, with granularversioning. The system's snapshots use byte-level change detection tooptimize the amount of data being transferred across the network duringeach daily server backup job.

The system pairs snapshots with replication to provide the mostefficient disaster recovery capability. Rather that storing thesnapshots compressed, or in a proprietary format, replication makes thebackup a fully instantiated file system—in its native format—so disasterrecovery becomes as easy as pulling a file off a file server.

The system may be integrated into a conventional computer network systemthat comprises conventional network elements and nodes such as clientstations, work stations, printers, hubs, routers, and other conventionaldata network equipment. For example the depicted servers may beconventional files servers of the type commonly employed with computernetworks and can comprise a PC compatible work station running thewindows NT, UNIX, Linux, or other operating system and having sufficientrandom access memory and persistent memory to operate efficiently as aserver systems. Similarly, the client station can be a conventionalclient workstation such as a PC compatible computer system running thewindows 8, Linux, or UNIX operating system or any suitable operatingsystem. Additionally, the client station can comprise an alternativeclient system such as a hand-held device, a standalone client systemsuch as kiosks, or any other suitable client device. In FIG. 1 thenetwork is the Internet, but can also be a local area network, howeverit will be apparent to one of ordinary skill that the systems andmethods described herein can be employed with wide area network, adistributed network, including the Internet or any other suitablenetwork system.

It will be understood by those of skill in the art, that these datastorage device element may be conventional database systems, as well asconventional file systems, such as the Windows file system, or the UnixFile system, both of which have directories of data file that may bebacked up by the systems described herein. Moreover, the backup systemsdescribed herein will operate with data storage devices that storedifferent formats of data and different types of files. For example, thedata storage devices may store data files, executable files, registryinformation, database structures and other conventional data formats anddata types. Moreover, FIG. 1A shows these stores of data as local to theserver, however, it will be understood that such data stores may also bedistributed across a plurality of locations and devices. The data may bephysically stored on any suitable memory system including a cache memorysystem, a random access data memory, or a persistent data memory, suchas a hard disk drive, RAID system, tape drive system, floppy diskette,or any other suitable system. The system depicted in FIG. 1A depicts thedata storage devices as physically separate from the servers, however,it will be understood by those of ordinary skill in the art that inother embodiments the data storage devices can be integrated into thesystem, such as an internal hard drive device.

The system can also work with a tape library which may be a conventionaltape library system of the type commonly employed for backing up data ona computer network. In one particular embodiment, the tape librarysystem is a blank tape library system manufactured by the Quantum corp.of Milpitas, Calif. However, it will be apparent to those of ordinaryskill in the art that other tape library systems may be employed withoutdeparting from the scope of the invention. Optionally, the tape librarymay include a controller that performs a tape expiration process torotate selectively the use of tapes in the library and which is based onthe loader capacity of the tape library. Specifically backup of data tothe automated tape library, which can be a conventional juke box devicethat, can happen in a manner wherein after multiple or incrementalsystem backups, essentially all available tape space is employed. Thusthere is no more blank tape available for recording information. Ratherthan have a human remove the tape, and automatically reuse the oldesttape, the systems and methods described herein can operate the libraryto provide for continuous tape back up. In this practice, data sent overthe network to the library may employ a tape expiration techniquewherein the tape holding or storing the oldest data is employed by thesystem for storing new data into the library. The controller toimplement this process may be a software process operating on the backup server, that is capable of recording which tape in the library hasbeen employed for storing data and at what time the data was stored. Thecontroller may store data onto each tape until the tape is full, orincapable of taking new data. Once this occurs, the controller maydetermine if any tapes in the library are blank and available forstoring data. If so the controller can select the blank tape forreceiving data. Otherwise, the controller can compare the timeinformation for each tape to identify the tape having the oldest data.That tape may then be selected by the controller for storing data. It isimportant to understand that although FIG. 1A depicts the system ashaving a single library, a plurality of tape libraries may also beemployed. Accordingly, the expiration strategy can be employed across aplurality of tape libraries. Additionally, a plurality of different tapeexpiration strategies may be employed for a single tape storage librarysuch as the tape storage library depicted in FIG. 1A. The tapeexpiration process may be employed with other types of long term storagesystems, including hard disk systems, R/W CD-ROM, RAID systems, or anyother suitable system.

FIGS. 2A-2C show in more detail an exemplary storage silo 200 in thedata storage array 32 or 138. Each storage silo is horizontally scalableto near infinite number of nodes. The system configuration andmanagement system ties the nodes together in a shardable and easilyscalable way to support potentially millions of volumes andorganizations. The Authentication and networking infrastructure is basedaround industry standard mechanisms that have proven to scale tointernet wide levels.

The silo 200 are comprised of 10 storage nodes and a HA pair of “heads,”which own/control the file system, and the networking gear to supportthem. At the storage node level, it is a computer running Linux with anumber of disks. Each disk is first run through a crypto driver modulewhich provides for on-disk encryption. The cleartext end of that driveris then exported via iSCSI, across 2×1 gbps network interface cards.iSCSI is Internet SCSI (Small Computer System Interface), an Internet—

Protocol (IP)-based storage networking standard for linking data storagefacilities. The iSCSI traffic is both load balanced and fails over the 1gbps links, and connects to separate switches SW1 and SW2.

By carrying SCSI commands over IP networks, iSCSI is used to facilitatedata transfers over intranets and to manage storage over long distances.The iSCSI protocol is among the key technologies expected to help bringabout rapid development of the storage area network (SAN) market, byincreasing the capabilities and performance of storage datatransmission. Because of the ubiquity of IP networks, iSCSI can be usedto transmit data over local area networks (LANs), wide area networks(WANs), or the Internet and can enable location-independent data storageand retrieval.

When an end user or application sends a request, the operating systemgenerates the appropriate SCSI commands and data request, which then gothrough encapsulation and, if necessary, encryption procedures. A packetheader is added before the resulting IP packets are transmitted over anEthernet connection. When a packet is received, it is decrypted (if itwas encrypted before transmission), and disassembled, separating theSCSI commands and request. The SCSI commands are sent on to the SCSIcontroller, and from there to the SCSI storage device. Because iSCSI isbi-directional, the protocol can also be used to return data in responseto the original request.

iSCSI is one of two main approaches to storage data transmission over IPnetworks; the other method, Fibre Channel over IP (FCIP), translatesFibre Channel control codes and data into IP packets for transmissionbetween geographically distant Fibre Channel SANs. FCIP (also known asFibre Channel tunneling or storage tunneling) can only be used inconjunction with Fibre Channel technology; in comparison, iSCSI can runover existing Ethernet networks. A number of vendors, including Cisco,IBM, and Nishan have introduced iSCSI-based products (such as switchesand routers).

The head nodes take in the iSCSI exports (which are whole disk mappings,rather than partial disk), and create raid stripes across the nodes.These raid stripes are aggregated into pools, from which volumes arecreated and thin-provisioned. A typical raid stripe is N+3, meaning 7data disks and 3 parity disks. This layout has no single point offailure. If a switch fails, network traffic transparently fails over tothe other link(s). If a given storage node fails, the volumes cancontinue for both read and write access. Writes that occurred when agiven node was offline are tracked, and recreated when the storage nodecomes back online (rather than rebuilding the entire stripe/pool). If agiven head fails, then the standby head imports all of the iSCSItargets, takes over the file system and virtual IP addresses, andresumes operation. One embodiment uses 360 disks which are partitionedinto pools of 120 disks each, and the pools are used for inter-customerload balancing and isolation.

The system has built a fully automated provisioning system that allowsfor new customer signup and service delivery with no human interaction.This allows for complete automation of the customer acquisition process,partner provisioning of new customers and the ability for customers toadd additional separate storage volumes directly through our web basedconfiguration platform. The customer is able to choose the desiredlocation of the new volume from a geographic list of system datacenters. This system allows increased operational efficiency and rapidgrowth. The storage volumes are provisioned from multiple sets ofavailable physical storage that are expanded just ahead of demand basedon growth projections.

FIG. 3 shows an exemplary process to perform automatic provisioning ofnew customers or trial volumes, including administrative account setup,storage provisioning, and enabling of billing and monitoring is all donewith no human in the loop.

The data protect solution is a combination of several systems includingthe Mirror Client, the System Management Portal (SMP), and the StorageSystem. In order for a new customer to use the service or for anexisting customer to add additional storage volumes a volume must becreated out of a previously existing shared storage pool. The systemallows for volumes to be made available in an automated way.

In FIG. 3, the system has a plurality of data storage facilities orsites A and B. Geographically Diverse Data Centers are used. Twofirst-class shared-nothing facilities provides for a geo-replicationoption. With geo-replication, the customer receives two volumes, oneprimary (read/write) and one secondary (read only). Read access to thesecondary is available continuously. Replication is based on snapshotswhich fire on a timer, typical propagation delay is about 4 hours.

For site A, a physical raw storage pool is allocated (302) and thestorage pool is formatted (304). Similarly, for site B, a physical rawstorage pool is allocated (306) and the storage pool is formatted (308).A new empty volume is created (310), and the new empty volume is addedto LDAP (312). The pre-provisioned volume queue is set up (320).

During operation, the SMP 120 gets a new request for a new volume (322),and the new volume is pulled from the pre-provisioned volume queue(326). The new volume is associated with an organization in the SMPdatabase (320). The new volume is given credentials in the LDAP (332)and the new volume is made available to users in the organization (334).

In one implementation, physical storage is aggregated via RAID and RAINmethods and made available as a large unpartitioned storage pool. Theunpartitioned storage pool allows for the creation of individualvolumes. Individual volumes are created from the unpartitioned storagepool using a set of scripts. A Globally Unique ID (GUID) is created andis associated to the new volume. The volume GUID and the networklocation of the volume is loaded into a queue that holds empty volumes.The queue is implemented in a Database and is queryable. This is calledthe “pre-provisioned volume queue”. The queue also records the physicallocation of the new volume such as “New Jersey Data Center” or “SantaClara Data Center.”

The newly created volume gets a new entry in an LDAP database thatassociates it to a known organization. The LDAP entry allows forauthentication to the volume for authorized users in an organization. Atthis point the volume is not assigned to an organization, but it doesget credentialed enough so that a monitoring system can log in and testthe volume. This is a key part of the process since we need to monitorall volumes even if they are not yet provisioned to an organization. TheSMP manages the process of supplying a volume to a specific user ororganization.

When a new organization is added or an existing organization requests anadditional volume, a pre-provisioned volume is taken out of the“pre-provisioned volume queue” and assigned to the organization (“org”):

a New volume is requested due to “new org” or “existing org requestsanother volume” The organization usually requests a volume in a specificphysical location such as “Santa Clara Data Center”

b SMP pops a volume from the “pre-provisioned volume queue” that matchesthe correct physical location.

c SMP associates the volume GUID to an organization within its owndatabase

d SMP changes the LDAP entry for the volume to allow users from theorganization access to the volume via credentials managed via the SMP.

Next, the client software 10 is detailed. The client software 10 isdesigned to be very thin with minimal local UI and configuration. Oncethe client has been authenticated and connected over the internet to theSystem Management Portal, (SMP), almost all configurations and controlare done through the SMP 20. The local client 10 does have some UI forreal time monitoring and does duplicate some of the SMP functionality,such as “start next job”. Not all versions of the client have UI.Windows software currently has the most UI while Linux and Mac versionsare almost complete headless with a simple command line interface forcontrol after installation.

As shown in FIG. 4, the client has three separate processes that work inconcert with each other and a plugins module as follows:

-   -   Service component 410—The scheduler and watchdog process, also        communicates with the SMP    -   User interface component 420—Presents a UI to the user and is        optionally run or not run    -   Sync component 430—Runs only during a sync window; Finds files        that have changed and handles data transfer; and Returns        statistics and errors to the service process via a pipe.    -   Plugin component 440—A loose collection of programs invoked by        the Service to handle special functions necessary for the        sync/backup process

One embodiment of the Service component 410 is implemented as a Serviceon Windows and as a long running process on Linux and Macintosh. TheService stays in constant contact with the Zetta SMP and can respond torequests and commands from SMP in real time. When a sync is scheduledthe SMP instructs the Service 410 to start a sync at a specified time.At the requested time the Service 410 starts a Sync process and monitorsa shared pipe to communicate status and errors back to the SMP. The Synccomponent 430 can also detect process deadlocks, stalled syncs or othererrors and can proactively cancel the sync process when necessary. TheService component 410 is also responsible for invoking virtual storagesnapshots prior to a sync and for launching plugins before, after, or inplace of a normal file sync.

One embodiment of the UI component 420 provides a user interface forlocal users of the host computer. The UI can communicate to the service410 via a shared pipe and can send commands to the service and monitorprogress. Typically the UI component 420 is represented as a small iconin the notification area and can be expanded to a larger view that showsreal time and historical sync progress. A context menu provides a listof commands that can be sent to the Service 410 as well as a list ofviews that can be opened to show further information.

Turning now to the Plugin component 440, complex backup functions can beencoded within a plugin rather than embedded in one of the existingclient processes. Examples of this are: specific database serializersand customer written pre and post backup procedures.

The Sync component 420 contains most of the complexity of the client 10.One embodiment of the Sync component 420 performs the followingfunctions:

-   -   File change detection    -   Sub-file difference detection    -   Breaking large files to manageable chunks    -   Compression    -   Transmission    -   Parallelization    -   Bandwidth and CPU utilization throttling

Next, certain sync process operations are detailed.

File change detection. The sync process iterates over all the files of aspecified file tree to determine which files it needs to replicate. Todetermine which files are already on the remote file tree the client caneither ask the remote server for a listing, or it can use a cached copyof the same information from a previous sync session. One embodimentuses a cached copy called “manifest”. A manifest is an ordered list offiles that include relevant meta data and current backup status. Bytraversing the file tree is a specific order the manifest is used as avery efficient database to detect which files need to be transferred andwhich files are unchanged since the last transfer.

Work queues and parallelization. When a file or directory has beenflagged for transfer by the “file change detection” step, it is placedin an appropriate work queue. The work queues are accessible to aconfigurable number of parallel threads that can take work off the queueand handle each file or directory. The work queues and the workprocesses create a system where multiple files and directories can beanalyzed and transferred simultaneously. This allows for better CPU, I/Oand network efficiency. One embodiment implements the work queues usingordered data structures like heaps or trees so files and directories canbe efficiently processed in output manifest order with lower memoryutilization. Memory footprint is also limited by flow control whichstops input manifest read and copy traversal until the number of in coreobjects drops below some threshold except when needed to avoid deadlock.In one exemplary scheduling data structure, the system uses priorityqueues which implemented as heaps as opposed to queues which aregenerally done as linked lists. In other embodiments, the system can usebalanced trees like red-black trees to achieve better insert and removeperformance where both tend to be in collating order (O(n) vs. O(n logn).

Sub-file difference detection. If a file has been previously transferredto the remote server and flagged as changed in a subsequent run, theclient 10 can perform a sub-file difference detection algorithm todetermine which parts have changed. Changed parts are determined using ablock signature algorithm and a block signature file that is saved bythe client during each upload. The net result of the differencedetection is a list of blocks that have changed and a list of placeswhere the blocks should be inserted in the remote file to make the twofiles identical.

Compression. The sync process can optionally compress using the gzipalgorithm and container format any data that it transfers. The containerformat includes a checksum that validates the data integrity end to end.

Transmission. The sync process uses the Webdav API over HTTP and SSL totransfer data in a WAN efficient way. One embodiment uses a Webdav APIthat has been extended and modified to allow for sub-file patching inone operation, upload compression and individual sub-file patching.

Resource utilization throttling. The sync process can be configured tolimit network bandwidth, disc bandwidth, random disk operation rate, andCPU usage. A rolling average is kept to determine utilization and adamping algorithm is used to inject pauses that bring the rollingaverage below the utilization threshold. One embodiment keeps a secondrolling average over a shorter time window to allow brief shorter burststo achieve a target resource usage rates in spite of short stalls.

In one embodiment, two rolling averages are used over long and shorttime periods, which allows a higher burst rate during the short periodso that the system can work around latency. One embodiment uses a pairof parallel token buckets: one limiting transmission time at the burstrate which fills at the target rate, one placing an upper limit oninitial sends which fills at the burst rate. Token buckets are used forrate limiting with tolerance for burstiness. A metaphorical bucket oftokens is used with a constant fill rate, with overflow tokens beingdiscarded once the bucket is full and operations removing a number oftokens equal to their cost before starting.

In one implementation, the client side program or client software 10encapsulates meta-data in a separate file from data for full andincremental backups that allows resource efficient detection of changesto limit data for a current backup, can execute I/O in parallel,supports meta-data for arbitrary operating systems, and can beefficiently transferred and used separately from the data for otherpurposes such as asynchronous back-up validation.

FIG. 5 shows an exemplary back end distributed metadata store processperformed by the client software 10 in one embodiment. The process canstore any type of metadata, even data unsupported by the system'sunderlying back end file system, in sidecar files for any type ofattribute. Applications include extended ACL's, long file names,document tags or classifications, among others.

File systems come in many flavors and hold differing types of meta data.Native file systems typically are accessed with API's that giveprogrammatic access to meta data. Native meta data is stored within thefile system in ways that are very specific to the particular filesystem. In order to support diverse file systems, the system storesarbitrary meta data that could be mapped to any file system. This isdone by:

-   -   Separate the meta data from the file data    -   Store the meta data beside each file in a separate file    -   The meta data file is itself a database capable of storing any        kind and any amount of meta data.    -   The meta data database is space efficient as well as efficient        for random access item lookup    -   Overlay an access mechanism such that, for every file, the meta        data can be queried, set, or overridden.

Turning now to FIG. 5, the user's computer has a native file system thatcombines file and metadata (450). The process splits the file data fromthe metadata (452) into constituent file data 454 and metadata 456.Through an application program interface (API), the process stores filedata and metadata (458). During a restore operation, the API can be usedto take separate file data 460 and meta data database 462 to restore thegeneric file system 464 as needed.

In one implementation, a simple database format is used with a very lowoverhead. It is a single index DB that can encode arbitrarily sizedelements. Most databases typically contain fewer than a dozen entriesand less than 4K of data. Since a single file usually takes up a singleblock, the system keeps the meta data database file size below the sizeof a single block. For each file in the system a metadata database iscreated as a shadow of that file in a hidden folder. Notably differentfrom other systems that use a single metadata store (i.e., a relationaldatabase) that becomes a scalability problem/single point of failure.Using this method, the system can scale arbitrarily large datasets, andhave wide client platform support.

In one embodiment, the causal consistency and optimistic locking in theMDBM format metadata database is used to leverage efficient access tothe WebDAV locks data base and for sha1 hashes stored there withasynchronous updates. For example, a file hash in the database isinvalid for version 1 of the file, a background process or thread beginsrecalculating the hash, the file is changed resulting in an invalid hashfor version 2 of the file, and the database refuses a write from thehash calculation process because the calculate hash was based on havingversion 1 of the file which is no longer the case.

One embodiment uses a WebDav API that already provides syntax forreading and writing arbitrary meta data. Methods are implemented to usethe WebDav API to interface with the database files, and have mappedprocess of FIG. 5 to the existing API. Web Distributed Authoring andVersioning (WebDAV) is an extension of the Hypertext Transfer Protocol(HTTP) that facilitates collaboration between users in editing andmanaging documents and files stored on World Wide Web servers. A workinggroup of the Internet Engineering Task Force (IETF) defines WebDAV inRFC 4918.

The WebDAV protocol makes the Web a readable and writable medium.[1] Itprovides a framework for users to create, change and move documents on aserver; typically a web server or web share. The most important featuresof the WebDAV protocol include the maintenance of properties about anauthor or modification date, namespace management, collections, andoverwrite protection. Maintenance of properties includes such things asthe creation, removal, and querying of file information. Namespacemanagement deals with the ability to copy and move web pages within aserver's namespace. Collections deals with the creation, removal, andlisting of various resources. Lastly, overwrite protection handlesaspects related to locking of files.

In one embodiment, the client software 10 acts as a translation agentbetween the original native file system and the system's split file andmetadata system. For each file the client software reads the file dataand the meta data and sends both components via a WebDav API. Theservers store the file data and meta data separately on a file system,but they are linked via folder proximity and file name.

Since there is no common database the system can scale up to billions offiles. Finding the meta data for a given file is simple since the filedata and the meta data are stored in proximity of each other.

Examples of File meta data include:

-   -   File modification time    -   File creation time    -   File access time    -   File size    -   Windows ACLs    -   UNIX permissions    -   SHA1 Hash of the file data

Although WebDAV is used in one embodiment, other protocols can be used.For example, the File Transfer Protocol (FTP) is a simple networkprotocol based on IP, which allows users to transfer files betweennetwork hosts. FTPS is an extension for secure traffic. Other protocolsinclude the SSH File Transfer Protocol (SFTP) which is an extension ofthe Secure Shell protocol (SSH) version 2.0 to provide secure filetransfer capability. A distributed file system such as the ServerMessage Block (SMB) protocol allows Microsoft Windows and open-sourceSamba clients to access and manage files and folders remotely on asuitable file server. AtomPub is an HTTP-based protocol for creating andupdating web resources, which can be used for some of the use cases ofWebDAV. It is based on standard HTTP verbs with standardized collectionresources that behave somewhat like the WebDAV model of directories.CMIS is a standard consisting of a set of Web services for sharinginformation among disparate content repositories that seeks to ensureinteroperability for people and applications using multiple contentrepositories; it has both SOAP and AtomPub based interfaces.

The client software application 10 iterates over a data master copy(which may be a primary copy or snapshot) and 1) input manifest filedescribing slave copy from a previous execution and/or 2) data slavecopy. Different tasks in this iteration may be asynchronous. Theapplication determines differences between the data copies with theoption to source meta-data and signatures from the manifest file atsignificantly lower input/output cost than accessing the slave copydirectly. Differences may be applied to the slave copy directly,indirectly through an intermediate file format, or the processes mayvalidate without making the copies match. The master copy may be thatbeing backed up or a copy of a previous backup for validation. Bothmaster and slave copies may be local or remote to the computer executingthe backup software, with protocols such as WebDAV or CIFS used toaccess data. An output manifest describing slave contents may begenerated for subsequent backup executions or other activities such asproviding a summary of storage utilization.

Next, an exemplary manifest file and format are discussed. The manifestfile describes the contents of a full or partial copy and may includemeta-data which is being transferred as part of a backup. This meta-dataencapsulation separate from data facilitates data transfer where thedesired intermediate format (example—ISO 9660 for optical media or FAT32for other block storage) lacks support for that meta-data (like WindowsNTFS access control lists) or the infrastructure writing the slave copyhas incomplete support for the chosen non-native file system used toaffect the transfer. The manifest entries may also associateintermediate files with alternate data streams or file forks on themaster and/or slave copy where the intermediate format does not supportsuch associations.

The manifest file describing contents is written in a collation orderwith one implementation arranging file system object entriesalphabetically with ancestors following descendants. For instance, adirectory tree may produce a manifest file containing entries

-   -   ad/1d, ad/2d, ad/2d/wf, ad/2d/xf, ad/2d, ad/3f, ad        where a directory, directory tree, or directory sub-tree is        processed in the same collation order (which facilitates        detecting differences without having information for every entry        in the data subset in memory) this allows sequential I/O where        the seek cost on rotating media is amortized over a relatively        large amount of data and the total I/O cost to read or write a        manifest file is negligible compared to other operations which        are necessary in the backup or validation process.

One implementation has header identifying information such as a manifestformat version allowing backwards compatibility when changes are made.The header may be stored in the same format as per-file entries. Theheader may have additional information about the source or destination.Such information may include file system attributes restored on recoverysuch as the number of inodes. It may describe other data and manifestcombinations which are other parts of a complete data set. The headermay include other arbitrary key/value pairs.

One implementation has a trailer. The trailer may be stored in the sameformat as the data record. The trailer may include a mechanism tovalidate that the entire file such as a hash. The trailer may includeother arbitrary key/value pairs.

One implementation treats manifest entries as a set of arbitrarykey/value pairs with one key treated as primary with its contents usedto determine order. Manifest entries may include internal or envelopefields used to validate record and/or file integrity up to that pointsuch as hashes.

One implementation uses a text format which can be accessed with aminimum implementation cost where the computer operating on it isdifferent in terms of operating system and/or processor where thingslike bit-width and word ordering may vary. Such a format also allowsmore rapid and less expensive tool implementation in languages otherthan that used to create the manifest file. Escaping may be used so thatthe data fields can contain key/value, field, and/or record separators.This facilitates backup validation on a machine (such as a server in aprivate cloud running a UNIX-like operating system) significantlydifferent from the one which wrote the backup (such as a Windows desktopmachine).

Hashes protecting record and file content key/value pairs may becalculated as if their fixed size value were replaced with a differentcharacter sequence such as the same number of ‘0’ characters.

One implementation of the manifest format is as follows:

-   -   The manifest starts with a header defining the version    -   (=header,_internal_type=header,_internal_version=1,_internal_record_crc=917e1394)    -   Each line in the manifest thereafter is a file or directory        entry. Each subentry in a line is separated by a comma    -   The first item is the file name preceeded by an equal sign (=)    -   The next subitem and all subsequent subitems are name value        pairs. Common name value pairs are:    -   acl_list: windows ACLS    -   hash: SHA1 hash of the file data    -   st_ctime: creation date    -   st_mtime: modification date    -   type: file,directory,link    -   st_size: file size    -   st_nlink: the number of links to the underlying inode    -   st_ino: inode number    -   _internal_record_crc is the last sub item in a line and is used        to verify the correctness of a given record.    -   The last line of the manifest provides a hash to validate the        whole manifest file.

=trailer,_internal_file_sha1_hash=9aabaa435425514a1f97b70c36013426bbbe2b50,_internal_type=trailer,_internal_record_crc=64a0a85f

One full file example of a manifest is as follows:

=header,_internal_type=header,_internal_version=1,_internal_record_crc=917e1394)=1998 Pie Guys Band/1998 Pie Guys Band2009.mov,acl_list=O:S-1-5-21-761903142-759465075-2234511197-1000G:S-1-5-21-761903142-759465075-2234511197-513D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FA;;;S-1-5-21-761903142-759465075-2234511197--1000)(A;;0x1200a9;;;BU),attrs=32&amp;amp;,hash=23cb78a5f5bf473a98d2b69567af85d3934bde3f,st_ctime=1335308694,st_ino=24182,st_mode=100000,st_mtime=1232316311,st_nlink=2,st_size=105,type=file,version=1,_internal_record_crc=eb9de567 =1998 Pie Guys Band/1998Pie Guys Band.avi,acl_list=O:S-1-5-21-761903142-759465075-2234511197-1000G:S-1-5-21-761903142-759465075-2234511197-513D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FA;;;S-1-5-21-761903142-759465075-2234511197-1000)=trailer,_internal_file_sha1_hash=9aabaa435425514a1f97b70c36013426bbbe2b50,_internal_type=trailer,_internal_record_crc=64a0a85f

Another exemplary manifest file is illustrated below:

=header,_internal_type=header,_internal_version=1,_internal_record_crc=917e1394=ad/1d,st_gid=0,st_nlink=0,st_uid=0,type=directory,_internal_record_crc=2a7af3b3=ad/2d/wf,hash=52d7173aca089119fa309bb0fdf290388579b820,st_atime=1352141874,st_gid=100,st_ino=2697433,st_mode=100644,st_mtime=1352141874,st_size=43,st_uid=1012,type=file,_internal_record_crc=373e829e=ad/2d/xf,hash=0f80ae7be0ae09addd00ac58e58b9754c8e97553,st_atime=1352141874,st_gid=100,st_ino=2697434,st_mode=100644,st_mtime=1352141874,st_size=43,st_uid=1012,type=file,_internal_record_crc=ecd8d7de=ad/2d,st_gid=0,st_nlink=0,st_uid=0,type=directory,_internal_record_crc=63cc26b0=ad/3f,hash=b71334e77eab6885df4fea046bde3316b9cd80a9,st_atime=1352141874,st_gid=100,st_ino=2697435,st_mode=100644,st_mtime=1352141874,st_size=40,st_uid=1012,type=file,_internal_record_crc=ebbb647e=ad,st_gid=0,st_nlink=0,st_uid=0,type=directory,_internal_record_crc=510b8160=,st_atime=1352141874,st_gid=100,st_ino=2697429,st_mode=40755,st_mtime=1352141874,st_nlink=2,st_size=4096,st_uid=1012,type=directory,_internal_record_crc=d667c7e4=trailer,_internal_file_sha1_hash=dcae1054559b6ac377dff739a7b2c0fe12e918a0,_internal_type=trailer,_internal_record_crc=ed3aa5ed

One exemplary backup process using manifest files is detailed next. FIG.6 shows an exemplary process for performing Asynchronous ReplicationCorrectness Validation. A replication is performed and a manifest isgenerated (510). The manifest is transferred to the server (512). Asnapshot is done to—

preserve a data set that should correspond exactly to the manifest(514). An asynchronous validation of the data set is performed using themanifest signatures (516). If the validation

In one implementation:

-   -   A manifest of the client data set is generated during the        initial and subsequent sync process, within the manifest is a        SHA1 signature of each file as well as a list of critical meta        data such as “last modified time” and “file size”    -   After the sync is done the manifest is transferred to the server        and stored    -   A snapshot is done on the server dataset to create a time frozen        data set and is performed at the end of a sync at the behest of        the software client 10 or on a regularly scheduled snapshot        schedule.    -   Asynchronously, the manifest is compared to the time frozen data        set on an item by item basis.    -   For each file the SHA1 signature is regenerated from the server        file and compared to the signature from the client. The critical        meta data is also compared.    -   If any file fails the signature or meta data test it is flagged        in such a way that the client will resynchronize the file at the        next available synchronization window.    -   All failures are also logged for analysis by the engineering and        QA teams.

The system can generate a manifest file with the actual contents of theserver which the client can access and synchronize against. Using theuploaded manifest file, all metadata (and optionally on-disk payload viahash compare) is verified and compared with the on-disk state. If adiscrepancy is found, the manifest is wiped or patched and pushed down,and the next sync job resolves all discrepancies. This second check is away of performing complete end to end validation, like a restore test,without having to do an actual restore.

The client server based replication creates a copy of data from theclient system to the servers. The copy is a representation of the datathat should be an exact copy of the client system data. Replication hasmany steps that could potentially introduce discrepancies between theclient and server data sets. The above process validates the correctnessof the replicated copy without introducing additional load on the clientcomputer and allows for flexibility in the time that the process wasperformed.

One implementation has up to one thread reading an existing manifestfile sequentially, up to one thread writing a new manifest filesequentially, and a configurable number performing asynchronous I/O onmaster and/or slave copies and computations necessary for the back-upprocesses such as hash generation to detect subsequent data changes andallow backup validation. The threads may have roles which change throughprogram execution—for instance, a single thread may alternately read theinput manifest, access the master copy, access a slave copy, and writethe output manifest. —

The sequential I/O processing the manifest file has a negligible impacton the time and resources needed to complete a backup on the customersystem.

File system object differences may be determined and acted upon directlyfrom comparing master and slave meta-data. Differences may be determinedwith one indirection step from comparing the current master copy to itsdescription in the current slave manifest file thus reducing I/O on theslave copy which allows a smaller ratio of servers and disk drives tocustomers where the hardware handling the slave copy is owned and/oroperated by a party other than that making the backup. This mechanism ofdetermining differences results in fewer superfluous transfers thansimply looking at object modification times which may advance for bothdata and meta-data (like permission changes) updates. It supportsmultiple slave copies processed separately which is less practical withan archive bit. Differences may be determined through two steps ofindirection, for example with a file hash mismatch between master copyand current slave manifest leading to a comparison of file segments toper-segment hashes or checksums. This double indirection allows aminimal set of changes to be transferred to the slave copy without theI/O cost of examining the finer grained signature data when notrequired.

Another implementation tries to process file system objects in thecollation order, with out-of order processing allowed when directoryreads complete on later collating directories before earlier.

Flow control may be applied so that meta-data retrieval from an inputmanifest file and master and the slave copy meta-data traversal ceaseswhen the amount of meta-data in-core reaches some threshold so thatmemory is not exhausted and the computer does not need to page or swapto disk which can reduce performance by orders of magnitude. Exceptionsare applied to the flow control scheme can be applied to preventdeadlock; for instance directory reads will always be performed onmaster copy directories where their entries will be next in the manifestfile.

Where an individual directory contains numerous entries, its meta-datafor that copy may be retrieved in manageable increments, sorted, andwritten to a manifest file. The contents of those files may be ingestedas needed subject to the flow control rules, with merge sorts performedas they are read and/or as a separate process where the resulting numberof open files would be undesirable.

Where the backup process is terminated before completion due toscheduled or unscheduled reasons the new manifest file may be combinedwith the old manifest file and the process resumed where it left off bya new backup program execution. Scheduled reasons include but are notlimited to operating system upgrades and to reduce load on a systemduring business hours when its resources are needed for other purposes.Unscheduled reasons include backup program termination due toinsufficient resources like memory or a program error.

This combination may be performed with a merge sort. The merge sort maybe performed before the backup process resumes with the old manifestfile describing slave contents as they were before the backup combinedwith the incomplete manifest file from the incomplete backup to producea third manifest file which is then used for input. While mergingmanifest files the backup program may note the last entry in the newmanifest file and elect not to perform expensive operations on filesystem objects which collate before that so that the backup completessooner in the time available. The merge sort may be performed onmanifest read with old and new manifest files combined as they are read.In that case the skip logic can be performed with a search for the lastentry beginning at the end of the new file.

When synchronizing a slave copy, one implementation updates the slavewhen differences are detected where the slave may be on a directlyattached file system, network file system like CIFS or NFS, or WANtarget via a protocol such as WebDAV.

When synchronizing another implementation generates one or moremanifests describing the contents of one or mass storage units which canthen be physically moved to where slave copy exists and used inconjunction with the manifest file(s) to populate it. This is useful foringesting new data and restoring customer data following a storagefailure where shipping media provides higher bandwidth than the mastercopy to slave network connection.

The same backup program and process may be used for restoration, wherewhat was the slave on the backup is the master is used for restoration.

The same backup program and process may be used to asynchronouslyvalidate that the slave copy matches what the program on the masterbelieves it to be with this process executing at a time outside thebackup windows where load on the slave copy processors and storage islower.

FIG. 7 shows an exemplary process to efficient replication of clientmachine content. As network bandwidth is generally the key limitingresource for an Internet delivered backup or replication service, oneembodiment of the client software 10 goes through a number of steps toensure that the minimum amount of data needs to be transmitted.

First, the manifest is used (672) to identify locally what files havechanged. This is done by traversing all the files in a subdirectory andcomparing the cached status of the corresponding file on the server end.If the file is the same it is ignored. If the file in new, it is markedfor upload and if it has changed, it is passed to the sub-file changedetector.

Next, a local sub-file signature cache is consulted to detectinsertions, removals, and rearrangements of data in files, so that onlythe changed portion of the file is transmitted (674). Changes arewrapped into a container and marked for transmission

All uploads that are compressible, as determined by their file types,are compressed with standard compression libraries, the payload isencrypted with SSL, and the payloads are transferred to back up server(676). In one embodiment, this is done in 10 MB chunks over WebDAV,which is an API that uses HTTP and is designed for moving large amountsof data over WAN connections. Additionally, multiple threads are run inparallel, overcoming slowness or limitations in TCP window scalingadjustments, or handling network “long fat,” (high latency highbandwidth) network connections.

At the receiving end the WebDAV server intelligently decrypts, expandsthe patch sets, and stamps them down onto the file system (678). Thisresults in the transfer efficiency of an incremental backup, butgenerates a full backup with snapshots going back in time for versionhistory. Notably, this also results in a mountable/usable file system,as opposed to a backup “blob,” that requires processing by the backupsoftware before it is transformed back into a usable state.

Details on one implementation with the WebDav interface extensions:

-   -   Compression is performed using the HTTP        Content-Transfer-Encoding: gzip methodology. This allows objects        transferred via HTTP to be compressed with the gzip library        during transfer. This is something that is technically allowed        in the HTTP specification, but to our knowledge has never been        implemented for WebDAV uploads. (or possibly any uploads via        HTTP).    -   Subfile patching is performed using a new HTTP verb that we        implemented called PATCH-APPLY. Details are below.    -   COMMAND=PATCH-APPLY    -   Headers    -   content-range=bytes:range_start-range_end/total_file_size,        Required    -   This header is used to indicate the portion of the file that is        being modified, by this command.    -   range_start and range_end are inclusive offsets.    -   Eg. content-range=bytes:0-1023/2097152    -   specifies a chunk from the beginning of the file, of size 1K,        for a file of 2 MB    -   content-length=size_of_delta_contents, Optional    -   Eg.content-length=11, specifies delta content payload of 11        bytes,    -   which usually indicates a delta command meaning no change.    -   FileTruncate=true, Optional    -   Setting this flag, will cause the file to be truncated to the        byte specified by range_end, in the content-range header.    -   Setting the value to be anything else, will indicate        FileTruncate=false.

PAYLOAD=delta content

Response:

Success-http response code 204

Indicates the file on the server has been updated.

Failure-http response code 500,400

Any error on the server when processing the command, returns this errorcode.

Known error cases:

-   -   content-range header is missing, bad content-length, error when        reading data-400 (HTTP_BAD_REQUEST)    -   file does not exist-500(HTTP_INTERNAL_SERVER_ERROR)    -   file offset does not exist-500(HTTP_INTERNAL_SERVER_ERROR)    -   file io error, eg. unable to read or write to        disk-500(HTTP_INTERNAL_SERVER_ERROR)    -   The subfile delta content payload is a package that contains all        of the delta data with file offsets for where the data is to be        inserted within the file. The payload is generated via the Rsync        library. (an open source subfile detection library)

As network bandwidth is generally the key limiting resource for anInternet delivered backup or replication service, the client software 10goes through a number of steps to ensure that the minimum amount of dataneeds to be transmitted.

FIG. 8 shows an exemplary process to reduce data transfer for files. Theprocess iterates over each file in a subdirectory in a recursive manner(704). First the process compares the file against the correspondingdirectory in the remote server directly, or it can compare against acached manifest which lists server folder contents (710). If the file isthe same as the file on the server, the process ignores the file (712).Alternatively, if the file has changed (716), the process detectschanged blocks using the file signature (718) and packages the changedblocks with location data (720). If the file is new, the processtransfers the new file to the server directory (714). From 714 or 720,the process accepts the whole file or the changed set for transmission(722). Data is separated into chunks (724), and compressed ifcompressible (726). The data is then transmitted using WebDav APIextensions in one embodiment (728) over the Internet 110. At the server,the data is decrypted and parsed using WebDav to interpret the request(730). If the data is for the whole file or a chunk of a file, theprocess writes the data direct to disk (732). Alternatively, if asub-file package is received, the file is patched and rewritten to disk(734). From 732 or 734, the back end data storage system receives andstores the files and directories (740).

One implementation of FIG. 8 includes the following operations:

-   -   First, the manifest is used to identify locally what files have        changed. This is done by traversing all the files in a        subdirectory and comparing the cached status of the        corresponding file on the server end. If the file is the same it        is ignored. If the file in new it is marked for upload and if it        has changed, it is passed to the sub-file change detector.    -   Next, a local sub-file signature cache is consulted to detect        insertions, removals, and rearrangements of data in files, so        that only the changed portion of the file is transmitted.        Changes are wrapped into a container and marked for transmission    -   All uploads that are compressible, as determined by their file        types, are compressed with standard compression libraries, the        payload is encrypted with SSL, and the payloads are transferred        in 10 MB chunks over WebDAV, which is an API that uses HTTP and        is designed for moving large amounts of data over WAN        connections. Additionally, multiple threads are run in parallel,        overcoming slowness or limitations in tcp window scaling        adjustments, or handling network “long fat,” (high latency high        bandwidth) network connections.    -   At the receiving end the WebDAV server intelligently decrypts,        expands the patch sets, and stamps them down onto the file        system. This results in the transfer efficiency of an        incremental backup, but generates a full backup with snapshots        going back in time for version history. Notably, this also        results in a mountable/usable files system, as opposed to a        backup “blob,” that requires processing by the backup software        before it is transformed back into a usable state.

FIG. 9 shows a process for state consistent replication. First, theprocess takes or locates a client side snapshot (810. Next, the processselects a corresponding remote file system (812). The process replicatesor mirrors that data from the client to the server file system (814).The process then snapshots the server file system and name the file toreflect the client side snapshot (816). Optionally, the process deletesthe client side snapshot (818).

Snapshots are copies of data backup that capture the state of the userfiles at a point in time. As data changes over time, individualsnapshots provide a recoverable copy of previous versions. Benefits ThatSnapshots Provide:

1. Versioning-enabled backups—In addition to being able to recover datadeleted in the past the user can also recover versions of data that mayhave changed or been corrupted.

2. Incremental Forever—The user can recover files from your backup as ifyou were doing full backups every day, but the amount of actual storagebeing used is just 1 full+the daily incremental changes that make upeach snapshot.

Snapshots's versioning granularity provides significant advantages overnormal backups when recovering a file, file system, or database.

By leveraging client side snapshots (whether VSS, LVM, or on a NetAppfiler), snapping the source data, performing the sync, and thensnapshotting on the server side results in an identical data set on theserver side. This is the same net result as products (and associatedclaims) such as NetApp SnapMirror or EMC Replication Manager, butoperating in a very different mechanism (the aforementioned are blockbased tracking). The advantage is that it supports heterogeneous storagestorage (from any vendor to Zetta, or from any vendor to any vendor).

In one implementation, the process can implement the following steps:

1 Create or find an existing snapshot on the local file system. (clientvolume)

a On Windows the client can create a new snapshot using VSS.

b On a Netapp the client can interrogate the Netapp to get a list ofexisting snapshots and then choose an appropriate one such as the lastdaily snapshot.

2 Use a server side volume that corresponds to the local file systemtree. The same volume is used for the first and all subsequent syncs.The server side volume will accept file system changes on the “tip”.

3 Perform a master to slave replication step. At the end of this stepthe server file system “tip” should mirror the contents of the clientfile system.

a The client software iterates over a dataset by starting with aninitial directory and recursively syncing the entire tree.

b Files and directories that exist on the client side but not the serverside are assumed to be new and are created on the server side

c Files that have changed on the client side are copied to the serverside. This may be done by just copying the changes rather than the wholefile.

d Any files or directories that are found on the server side but not theclient side are assumed to have been deleted and are deleted on theserver side.

4 Trigger a snapshot on the server side file system and mark or title itwith a relevant name.

a For Netapps use the same name as the snapshot that exists on theNetapp

b For Windows name file new snapshot after the current date and time ofwhen the VSS snapshot was taken.

5 By repeating the process a series of snapshots can be created on theremote server that exactly mirror the snapshots on a Netapp appliance ora Windows system. The snapshots on the client side can also be removedknowing that the server holds a copy.

The use of versioning-enabled backups protects data from complianceissues or a natural disaster by pairing snapshots with replication.Rather that storing snapshots compressed, or in a proprietary format,replication makes the backup a fully instantiated file system—in itsnative format—so disaster recovery becomes as easy as pulling a file offa file server.

Replication Technology is:

1. Block-level Change Detection—Any folder or directory the user adds tothe backup during setup will be scanned during each daily backup cycle.Any files that have been modified since the last backup will have justthe bytes that have changed replicated across the wire to the backupvolume. Since only about 2% of active files are modified during anygiven day, this feature drastically cuts down the amount of data thatneeds be transferred.

2. High-Speed, High-Reliability Data Transfers—The WebDAV transferprotocol is optimized for multi-threaded transfers. WebDAV is inherentlyfaster than other data transfer technology since it works over HTTP,just like the internet itself. From the management console in the clientsoftware, the user can select the number of threads to use whentransferring data.

FIG. 10 shows an exemplary process for data recovery. To recover a fileor server, there are easy 3 options. The user can go through thesoftware agent, find the version of the file he or she is looking forfrom the right day and click, “recover” (872). Or, the user can click aURL that will allow you to recover from your backup directly over theweb by showing the replicated file system (874). Lastly, the user canchoose to mount the backup as drive so it will show up like any othershared network drive on the user's system (876).

The client software 10 is able to backup data from a NetApp by reading auser generated configuration file which defines the data sources to backup and the appropriate login credentials to gain access to these datasources. When the file is read by Client software 10 network mounts willbe created to the defined data sources and the Client software 10 agentwill trigger a snapshot on the NetApp appliance which is used to capturea consistent state of the NetApp file system and replicate the targeteddata to the System cloud.

The Client software 10 Backup Process

1. Client software 10 agent is triggered to start a job based on userdefined backup schedule.

2. Client software 10 agent reads the configuration file and mounts thedirectory to backup.

3. Client software 10 agent connects to the NetApp and triggers a NetAppsnapshot which allows a consistent copy of the data to be backed up.

4. Client software 10 agent walks the directory tree, finds files thathave changed and transmits the delta to System.

5. Once the transfer of data is complete System creates a snapshot ofthe file system on the System storage end.

6. Client software 10 deletes NetApp snapshot and disconnects from theNetApp.

In order to backup data from a NetApp a Client software 10 agent willneed to be installed on a system running a supported client software OS.This system will be referred to as the Client software Host and willfunction as the gateway to the NetApp. The Client software Host shouldhave a good connectivity to both the NetApp and the Internet; latencybetween the Client software Host and the NetApp will decrease syncperformance. Each client software Host will have a user generatedconfiguration file that defines the NetApp server address, logincredentials and what data sources the Client software agent is tobackup.

In the event of a clustered environment where multiple NetApp heads arein use multiple Client software 10 Hosts will need to be used where eachhost connects to an individual NetApp head with its own config file forthe unique server address.

If the Client software Host is a Windows system, the Client softwareagent will create a network mount to access the data using an availabledrive letter. If the Client software 10 Host is a Linux system—the usermust create the target directory for the NetApp source to be mounted toand specify this directory in the “mount:” section of the configurationtext which is given below in the configuration section.

The OS of the Client software Host will determine the ability of Clientsoftware 10 to backup different security styles within the NetApp. Sinceone of the benefits of utilizing NetApp Qtrees is the ability to storeboth UNIX and NTFS security styles it is common to have both types andwant to maintain both in your backup. To preserve UNIX ACLs the Clientsoftware host will need to run on a supported UNIX operating system.Similarly, to preserve NTFS ACLs the Client software host will need torun a supported Windows operating system. If mixed security style isused the recommended best practice is to use a Windows system as theClient software host.

One embodiment of the client software 10 and the server supportssimultaneous generation of a local backup on a Windows or NFS share forrapid restore purposes, for mission critical or especially large files,in addition to transferring to the servers. The system does not requirean appliance, but only—any mountable shared devices or a USB drive, forexample, can be a valid target. An efficient access to version historyis available by using the local copy as a “seed,” and the system canaccess server-side snapshot data and transmitting only the patch setsrequired to revert to any particular version.

FIG. 11 shows an exemplary real-time billing and metrics reportingprocess. Data from storage volumes 910 are captured by reporting agents920 and sent to a message queuing server 930. Data is then sent torespective receiving agents 932 and buffered in database 940.Periodically, roll-up agents 942 cumulates the statistics and updatesthe database 940. Upon demand, a display or query agent 944 retrievesbilling and metrics information from the database 940 and rendersbilling and metrics reports or screen displays for users on-demand.

The System backend has a scalable system for collecting, rolling up,acting on, and displaying an arbitrary set of metrics. Current usage isfor customer bandwidth and footprint metrics, but this can be extendedover time.

The system storage system consists of a large number of storage volumesthat can each operate independently of each other. A single customer canhave one or many volumes and the system supports thousands orpotentially millions of independent volumes. For the purpose of metricsand billing it is necessary to measure, store and aggregate the storagemetrics for each volume in a way that is easily retrieved for graphing,monthly billing, and real time viewing of each customer's volumes.

Storage metrics on each volume are queried on a regularly scheduledbasis. In one embodiment they are collected once a minute. Each samplethat is collected is packaged into a message format that includes anidentifier for the volume (volume_id), a timestamp and the metrics thatare collected. There can be one message for each metric or a combinationof one or more messages that include multiple metrics in a message. Themetrics are identified by predefined names such as “Read MB/S”, “WriteMB/S”, “Total space in Bytes”, “Snapshot space in Bytes”, among others.

The messages are sent to a set of message queuing servers that queue themessages and allows for delivery to specific receiving agents. Thequeuing servers are clustered to support hot failover and are persistentto protect against data loss in the event of a power failure.

A set of receiving agents take messages off the queuing servers andprocesses them. A receiving agent operates against a persistent databasestore that holds aggregate metrics for a given volume and is correlatedby customer as well. For each new message an entry is added to thedatabase store for the corresponding time. Messages are processed intime sequence order, but this is not a requirement for all such systems.

At specified intervals metrics are “rolled up” to reduce the granularityof the data. For instance, after multiple months of data collection theoldest points in the database can be averaged to daily samples ratherthan by the minute. This reduces the number of samples by a ratio of1440 to 1 while still providing a daily view of the dataset. Averagingcan be accomplished by calculating the mean, the peak or other wellestablished averaging methodologies. Roll ups are calculated by queryingthe database for a specified roll up interval, receiving the data,calculating the average and then writing out a new rollup entry in thedatabase. Old data points are then removed from the database.

Agents that display the data or perform billing aggregation are able toquery the database for any time range. In some cases a time range willcontain a rollup metric rather than a normal reporting interval. Whenrollup metrics are found they replace an interval of normal data and canbe used to calculate averages of larger time periods or for thegraphical display of time series metrics. In the system there arebilling agents that aggregate monthly metrics into a monthly bill basedon average or maximum storage for the month, and average, actual, ormaximum bandwidth for the month. System also displays time series graphsof individual and aggregate volumes with multiple time scales. Highlevel graphs show monthly or daily intervals and allow zooming down tothe lowest level data granularity.

FIGS. 12A-12H show exemplary user interface screens. FIG. 12A shows anexemplary Client Download selection screen. The screen allows the userto download and install any number of copies of the lightweight clientonto the servers, VMs and executive laptops. Once the client software isinstalled, all configuration and management is done through a webbrowser.

FIG. 12B shows an exemplary configuration and recovery screen. Thisscreen enables a two-click set-up process where the user selects whattime and what data to protect. On schedule, the client software wakesup, finds changes that have occurred since the last sync window, andthen sends only the changed blocks to servers in the system, where theyare patched into the replica copy, bringing the backup current.

FIG. 12C shows an exemplary screen showing Online Status. The syncstatus history is always available on the web.

FIG. 12D shows an exemplary Daily Digest report. Every day, the userreceives a “Daily Digest” email depicting the success of all thesystems' syncs from the prior 24 hours. No need to dig around for peaceof mind.

FIG. 12E shows an exemplary Automated Versioning report. The systemautomatically snapshots the backup copy (daily is the default) creatingan online, mountable retention history.

FIG. 12F shows an exemplary screen showing Data Recovery and Web Accessto Data. The user can access the backup data is with just a web browser. . . from anywhere. Data is mirrored in the same file structure at thecomputer that the user operates. This allows instant recovery/access toany files, folders, or entire file systems.

FIG. 12G shows an exemplary user interface for mapping a drive forrecovery. The user can access the data is with a mapped network drive.Since data is stored at the server in file system format, the user cansimply map a local drive to the remote storage copy and directly accessfiles with workstation tools and applications.

FIG. 12H shows an exemplary data recovery screen using Local Restore.The third way to recover/access data is to copy it back to a localserver, either the original server that hosted the data or another one(possibly in another location). The user can simply point to the data heor she wants to restore, and the version needed, and the client software10 will pull it back down from the cloud.

FIG. 13 shows an exemplary approach for managing customer clients. Thedesign goal is to create a network of clients that are centrallycontrolled and monitored while requiring a minimum of changes to acustomer's network topology. The system has a plurality of clients 950such as ZettaMirror clients communicating through Firewall 952 to theSMP 954 and one or more storage silos 956. ZettaMirror clients areinstalled by a customer on each machine that requires a backup. Afterregistration the client registers itself as a service and runscontinuously on the host machine. The client service initiates aconnection to the Zetta SMP using secure HTTP over SSL. Whenever the SMPwishes to send a command to the client the existing HTTP connection isused. The client will periodically refresh the HTTP connection toprevent it from getting stale and will automatically reconnect wheneverthe connection is lost. If for whatever reason the SMP is unavailablethe client will continue to try and connect on a periodic basis untilthe SMP can be reached. Status information is also sent via output HTTPSconnections but sent to a separate service URL, this can be done inparallel with the control connection. The control connect is used tosend the client a schedule for when it should perform backup, sync orother actions. The schedule can be used to initiate a timed action evenif the control connection is unavailable when the timed action is set tofire. As long as the remote storage is available the sync or backup canproceed as normal. This isolates SMP failures from interrupting the syncor backup schedules.

Using the above methodology the client never needs to accept an incomingTCP connection, but is always available to be sent a control message.All of the clients connect over the public internet or via privateleased lines to a centralized SMP cluster and are able to be managedthrough a single interface.

The system data protect service is designed to be as simple as possibleto configure and operate. The system enables a high performance cloudstorage that looked and performed like a storage appliance. A real filesystem back end allows the system to offer a replication solution thatis far more powerful than just backup. The system volume is mountablesimilar to a network attached storage system within existingenterprises. This allows for greater flexibility and true disasterrecovery and archive functionality. The system is a three in onesolution that offers greater functionality than traditional backup whilereplacing existing enterprise backup solutions.

A standards based file access protocol is used. The system supports theWebDav file access protocol which allows for file access from a largevariety of third party software products including native access withinWindows and Mac. WebDav is an internet friendly protocol built upon HTTPthat incorporates encryption and WAN efficiency as well as a wide rangeof file operations to support remote file system operations. Throughthis technology, customers are able to mount a network drive on adesktop or server and directly access the system archives, includingsnapshot versions.

The system supports and requires encryption for every interaction withthe system service. HTTPS and SSL, is required for all interaction withthe service and is used to secure all file transfers. Additionally, allfiles stored are encrypted at rest with file encryption techniquesoriginally designed for military and government use.

The system readily syncs very large data sets. Very large data sizeswith large files (50 TB or more) as well as data sets with tens ofmillions of small files are both handled through a combination oftechnologies which support:

-   -   Rapid and efficient change detection for large numbers of files        (See “Manifest”) Only changed files to be examined for possible        transfer.    -   Sub-file change detection reduces the amount of data that needs        to be sent.    -   Compressible data is compressed and the end result is        checksummed against the original to detect errors.    -   WAN efficient protocols that can efficiently utilize any        available size, internet connection.    -   Configurable parallelism for multi-processor efficiency and high        latency connections, or backing up NAS/SAN or RAID arrays with        multiple disks    -   Fast back end. The file servers are optimized for the        application and are able to receive data very quickly. Single        data silos can obtain write speeds of hundreds of MB/sec.        Restores represent less than 1% of the load and are        exceptionally fast due to a surplus of read IOPS and bandwidth.

The system is extremely efficient at iterating and detecting individualchanges scattered throughout very large data sets. The manifesttechnology can scan and detect changes within single data sets with manyfiles, even over 100 million files in one embodiment. The system is ableto do this without causing significant memory, CPU, or mass storage IOload on the host system. The system has a scan rate capable of runningwithin small backup windows.

The data mover can transfer data over the internet at the maximumpossible speed. The system can handle sub-file change detection. Manyprograms, databases in particular, continuously update existing files.Many backup programs are forced to reimage the entire file even if onlya small portion of it has changed. The system keeps a small signature ofevery large file that it encounters and is able to use that signatureefficiently to find blocks within changed files that have realdifferences. The change detection is able to detect blocks changed inplace, data added to the end of files and data shifts. The system hasoptimized the algorithm to be especially efficient for databases and touse a minimum of signature storage space. A digital signature isgenerated on every file. Every file that enters the system backendsystem is checksummed using the SHA1 cryptographic hash algorithm. Thechecksum is stored separately from each file and can be referenced as amethod of verifying that the data stored at The system is still valid.The client software uses this checksum to perform end to endverification of data integrity and the system backend is also able touse the checksum for data scrubbing purposes.

SHA-1 is a cryptographic hash function designed by the United StatesNational Security Agency and published by the United States NIST as aU.S. Federal Information Processing Standard. SHA stands for “securehash algorithm”. The four SHA algorithms are structured differently andare distinguished as SHA-0, SHA-1, SHA-2, and SHA-3. SHA-1 is the mostwidely used of the existing SHA hash functions, and is employed inseveral widely used applications and protocols. SHA-3, was announced onOct. 2, 2012.SHA-1 produces a 160-bit message digest based on principlessimilar to those used by Ronald L. Rivest of MIT in the design of theMD4 and MD5 message digest algorithms, but has a more conservativedesign. The original specification of the algorithm was published in1993 as the Secure Hash Standard, FIPS PUB 180, by US governmentstandards agency NIST (National Institute of Standards and Technology).This version is now often referred to as SHA-0.

Each incremental change is applied to a full in such a way that a newfull is generated. Using snapshot technology the system is able to keepa configurable number of full backups, space efficiently and withinstant access and no rebuild time. Additionally, since a new full isgenerated after every backup, the system never needs to take a new fullbackup, which saves even more time. The net effect is that any file fromany version is instantly available for restoring from the system.

Snapshots represent an immutable and verifiably correct representation(because the snapshots also contain the SHA1 hashes) of the source data.The snapshots are space efficient such that if 128 k of a 10 MB filechanges (after one or more snapshots were taken) the total spaceutilized is only 10 MB+128 k (plus small amount of overhead). Eachsnapshot only grows the total data set size by the amount of unique datathat changed during that period. The system is able to emulatetraditional tape rotation schedules through snapshot promotion, walkingthrough 30 dailies, 12 monthlies, and as many yearly snapshots asrequired.

The system backend creates snapshots on both a scheduled basis as wellas “snap after sync,” for data consistency. Snapshots are a point intime “frozen,” version of the file system. For databases, but also othertypes of applications, going through and copying up file by file doesn'twork because more than a single file needs to be captured at a singlepoint in time (imagine a book where each page is a file, any time a pagewas updated or inserted the index or table of contents would need to beupdated as well). The system supports VSS snapshots on the Microsoftplatform on the client side as a method of freezing the source data.Finally, snapshots power a geo-diverse replication.

The system protects service along with agents that allow for completeautomation of the backup/DR process. The end to end nature of the systemservice and the lack of any required client side appliances allows forcomplete automation with no customer level intervention. Legacy basedbackup systems are notorious for breaking easily and requiring weeklyintervention. The system Service architecture detects and automaticallyfixes most common problems. The system employs two different automaticupgrade systems. The backend service is upgraded automatically andusually with zero downtime. All service upgrades, disk failures, storageupgrades, networking, among others, are handled by the system with nocustomer involvement necessary. The system's agents also are capable ofa fully automated upgrade process or one controlled by the end user attheir discretion. All commonly deployed windows versions, multiple macversions and a plurality of versions of Linux are supported by thesystem. A file system abstraction layer allows for all meta data to bestored in a platform neutral way on a single customer volume allowingfor mixed used in a heterogeneous environment. All the clients aremanaged in a common way through the web based configuration platformfurther reducing complexity in a heterogeneous environment.

The system uses light weight agents and a SAS backend to replaceexisting heavyweight hardware solutions. Customers can sign up,provision and deploy within minutes rather than months. Additionally,since there is no hardware to maintain, most customer problems can besolved proactively by support personnel or over the phone.

The Web-based System Management Portal (SMP) is used to manage,configure, recover and report on data protection jobs—The system's webbased configuration portal technology allows for the configuration andmanagement of customer systems in a single place from a single sign-on.All system status is available from a single page and is greatlysimplified over traditional distributed systems. The single portalconcept is a “must have” feature for busy system administrators andmakes the entire system deployment, configuration and maintenanceexperience seamless and easy.

The system supports multiple methods for customer restores based on thecustomer need at the time. The system agent performs batch restores oflarge numbers of files using the same techniques used to backup thedata. A la carte restores are possible through a web based file browserthat replicates the look and feel of a native file explorer. Thesystem's mount capability offers even more flexibility for the customer.By mounting the system storage volume on a desktop or server, thecustomer can have read only on demand access to any version of theirbacked up files.

The system's customers receive daily digest reports that summarizecustomer activity allow customers to know that everything is protectedwithout having to actively monitor the system. The system has nativedatabase backup and restore software to make the process simple andautomated. The system's MS-SQL backup connector automaticallycheckpoints the database, writes a current copy, detects and uploads thesub file changes and allows for a local copy to be saved on anyavailable direct attached or network attached file system.

The system's Netapp replication product can perform a near equivalentSnap Mirror replication without the need to purchase SnapMirror, anotherNetapp appliance, and set up another data center. The system is able tocreate and replicate NetApp snapshots and recreate thesnapshots—identically—on the system backend service. Customers can reapthe benefits of SnapMirror for a small fraction of the cost and cansimultaneously reduce vendor lock in for their storage appliance.

The use of a real file system back end allows the system to offer areplication solution that is far more powerful than just backup. Thesystem volume is mountable similar to a network attached storage systemwithin existing enterprises. This allows for greater flexibility andtrue DR and archive functionality. The system is a three in one solutionthat offers greater functionality than traditional backup whilereplacing existing enterprise backup solutions. The system supports theWebdav file access protocol which allows for file access from a largevariety of third party software products including native access withinWindows and Mac. Webdav is an internet friendly protocol built upon HTTPthat incorporates encryption and WAN efficiency as well as a wide rangeof file operations to support remote file system operations. Throughthis technology, customers are able to mount a network drive on adesktop or server and directly access the system archives, includingsnapshot versions. The system supports and requires encryption for everyinteraction with the system service. HTTPS and SSL, which were inventedand standardized by the company co-founders, is required for allinteraction with the service and is used to secure all file transfers.Additionally, all files stored at the system are encrypted at rest withfile encryption techniques originally designed for military andgovernment use. The system readily syncs very large data sets. Verylarge data sizes with large files (50 TB or more) as well as data setswith tens of millions of small files are both handled through acombination of technologies which support:

-   -   Rapid and efficient change detection for large numbers of files        (See “Manifest”) Only changed files to be examined for possible        transfer.    -   Subfile change detection reduces the amount of data that needs        to be sent.    -   Compressible data is compressed and the end result is        checksummed against the original to detect errors.    -   Wan efficient protocols that can efficiently utilize any        available size internet connection.    -   Configurable parallelism for multi processor efficiency and high        latency connections, or backing up NAS/SAN or RAID arrays with        multiple disks    -   Very fast back end. Our file servers are optimized for our        application and are able to receive data very quickly. Single        data silos can obtain write speeds of hundreds of MB/sec.        Restores represent less than 1% of the load and are        exceptionally fast due to a surplus of read IOPS and bandwidth.

The system developed its “manifest” technology to be able to scan anddetect changes within single data sets with hundreds of million files.The system is able to do this without causing significant memory or CPUload on the host system and has a scan rate capable of running withinsmall backup windows. The WAN optimized data mover efficiently movesdata over the internet at the maximum possible speed. The first versionswere designed by one of the original architects of the HTTP protocol andembodied more than a decade of experience in WAN optimization to achievegreater than Gb/sec speeds.

Many programs, databases in particular, continuously update existingfiles. Many backup programs are forced to reimage the entire file evenif only a small portion of it has changed. The system keeps a smallsignature of every large file that it encounters and is able to use thatsignature efficiently to find blocks within changed files that have realdifferences. The change detection is able to detect blocks changed inplace, data added to the end of files and data shifts. The system hasoptimized the algorithm to be especially efficient for databases and touse a minimum of signature storage space.

A Digital Signature is saved on every file—Every file that enters thesystem backend system is checksummed using the SHA1 cryptographic hashalgorithm. The checksum is stored separately from each file and can bereferenced as a method of verifying that the data stored at the systemis still valid. The system uses this checksum to perform end to endverification of data integrity and the system backend is also able touse the checksum for data scrubbing purposes.

Reverse incremental backups can be done. Traditional incremental backupsare known for substantially reducing the time for nightly backups.Incrementals only backup the files that have changed and store them in achangeset. The problem with most incremental technologies is thatrestores need to be built up from the last full plus any and allincrementals. The restore process can take a very long time to rebuildthe state just to get to the point where you can restore a single file.The system takes a different approach. At The system each incrementalchange is applied to a full in such a way that a new full is generated.Using our snapshot technology we are able to keep a configurable numberof full backups, space efficiently and with instant access and norebuild time. Additionally, since a new full is generated after everybackup the system never needs to take a new full backup, which saveseven more time. The net effect is that any file from any version isinstantly available for restoring from the system.

The system backend creates snapshots on both a scheduled basis as wellas “snap after sync,” for data consistency. Snapshots are a point intime “frozen,” version of the file system. For databases, but also othertypes of applications, going through and copying up file by file doesn'twork because more than a single file needs to be captured at a singlepoint in time (imagine a book where each page is a file, any time a pagewas updated or inserted the index or table of contents would need to beupdated as well). The system supports VSS snapshots on the Microsoftplatform on the client side as a method of freezing the source data.Finally, snapshots power our geo-diverse replication. Snapshots, as animmutable and verifiably correct representation (because the snapshotsalso contain the SHA1 hashes) of the source data, enables our solutionsin the SEC 17a-4 compliance space for broker/dealers. In one embodiment,the snapshots are space efficient such that if 128 k of a 10 MB filechanges (after one or more snapshots were taken) the total spaceutilized is only 10 MB+128 k (plus small amount of overhead). Eachsnapshot only grows the total data set size by the amount of unique datathat changed during that period. The system is able to emulatetraditional tape rotation schedules through snapshot promotion, walkingthrough 30 dailies, 12 monthlies, and as many yearly snapshots asrequired.

The data protect service along with agents that allow for completeautomation of the backup/DR process. The end to end nature of the systemservice and the lack of any required client side appliances allows forcomplete automation with no customer level intervention. Legacy basedbackup systems are notorious for breaking easily and requiring weeklyintervention. The system Service architecture detects and automaticallyfixes most common problems.

The system employs two different automatic upgrade systems. The backendservice is upgraded automatically and usually with zero downtime. Allservice upgrades, disk failures, storage upgrades, networking, amongothers, are handled by The system with no customer involvementnecessary. The system agents also are capable of a fully automatedupgrade process or one controlled by the end user at their discretion.

The system uses light weight agents and a SAS backend to replaceexisting heavyweight hardware solutions. Customers can sign up,provision and deploy within minutes rather than months. Additionally,since there is no hardware to maintain, most customer problems can besolved proactively by system support personnel or over the phone. Thesystem maintains a full end-to-end solution.

The Web-based System Management Portal (SMP) to manage, configure,recover and report on data protection jobs—The system's web basedconfiguration portal technology allows for the configuration andmanagement of customer systems in a single place from a single sign-on.All system status is available from a single page and is greatlysimplified over traditional distributed systems. The single portalconcept is a “must have” feature for busy system administrators andmakes the entire The system deployment, configuration and maintenanceexperience seamless and easy.

A simple and flexible restore process is provided. The system supportsmultiple methods for customer restores based on the customer need at thetime. The system's agent performs batch restores of large numbers offiles using the same techniques used to back up the data. A la carterestores are possible through a web based file browser that replicatesthe look and feel of a native file explorer. The system's mountcapability offers even more flexibility for the customer. By mountingthe system storage volume on a desktop or server, the customer can haveread only on demand access to any version of their backed up files.

The user and system support staff receive daily digest reports thatsummarize customer activity allow customers to know that everything isprotected without having to actively monitor the system.

Enterprise connectors are provided for Databases—Databases require acomplex series of steps in order to backup and restore. The system hasdeveloped native database backup and restore software to make theprocess simple and automated. The system MS-SQL backup connectorautomatically checkpoints the database, writes a current copy, detectsand uploads the sub file changes and allows for a local copy to be savedon any available direct attached or network attached file system.

The system's Netapp replication product can perform a near equivalentSnap Mirror replication without the need to purchase SnapMirror, anotherNetapp appliance, and set up another data center. The systemMirror isable to create and replicate NetApp snapshots and recreate thesnapshots—identically—on the The system backend service. Customers canreap the benefits of SnapMirror for a small fraction of the cost and cansimultaneously reduce vendor lock in for their storage appliance.

The system was built from the ground up to scale to Trillions of objectsat Exabyte scale and beyond. Each storage silo is horizontally scalableto near infinite number of nodes. The system configuration andmanagement system ties the nodes together in a shardable and easilyscalable way to support potentially millions of volumes andorganizations. The Authentication and networking infrastructure is basedaround industry standard mechanisms that Netscape helped to establish inthe 90's and have proven to scale to internet wide levels.

The system has custom built the billing metrics systems usingtraditional SQL database methodology to produce a very reliable yetscalable system. The system can support a large number of flexiblesubscription billing features.

The system has built a fully automated provisioning system that allowsfor new customer signup and service delivery with no human interaction.This allows for complete automation of the customer acquisition process,partner provisioning of new customers and the ability for customers toadd additional separate storage volumes directly through our web basedconfiguration platform. The customer is able to choose the desiredlocation of the new volume from a geographic list of The system datacenters. The system can increase operational efficiency and allows forrapid growth. The storage volumes are provisioned from multiple sets ofavailable physical storage that are expanded just ahead of demand basedon growth projections.

Geographically Diverse Data Centers are used for disaster recoverypurposes. Two first-class shared-nothing facilities provides for ageo-replication option. With geo-replication, the customer receives twovolumes, one primary (read/write) and one secondary (read only). Readaccess to the secondary is available continuously. Replication is basedon snapshots which fire on a timer, typical propagation delay is about 4hours in one implementation. All logical management is done remotely,and only technician level personnel are required locally.

Shared Nothing Data Protection can be provided to customers who do notelect the Geo-diverse replication option. Their data is replicated to asecond, shared-nothing storage silo. From an application point of view,it is the same process as the geo-replication, except it is going to alocal target. Customers do not have access to this data set andadditional file system compression is enabled, but it is there toprevent against logical corruption issues.

Aside from application metrics, several thousand system metrics aremonitored, ensuring awareness of system problems in real time. Thesystem has extended monitoring of disk drives, and frequentlyproactively pre-fails them when they show excessive read or write errorsor other indications of a failing drive.

It will also be recognized by those of ordinary skill in the art ofcomputer programming that the method of FIGS. 1A-1B and the functionalmodules of the remaining figures may be embodied as a series ofinstructions organized into one or more computer programs which areexecutable by a programmable control device. A programmable controldevice may be a single computer processor, a plurality of computerprocessors coupled by a communications link, or a custom designed statemachine. Custom designed state machines may be embodied in a hardwaredevice such as a printed circuit board comprising discrete logic,specially designed application specific integrated circuits (ASICs), orintegrated circuits such as field programmable gate arrays (FPGAs).Storage devices suitable for tangibly embodying computer programsinclude all forms of non-volatile memory including, but not limited to:semiconductor memory devices such as electrically programmable read onlymemory (EPROM), electrically erasable programmable read only memory(EEPROM), and flash devices; magnetic disks (fixed, floppy, andremovable); other magnetic media such as tape; and optical media such asCD-ROM disks.

While the invention has been disclosed with respect to a limited numberof embodiments, numerous modifications and variations will beappreciated by those skilled in the art. It is intended, therefore, thatthe following claims cover all such modifications and variations thatmay fall within the true spirit and scope of the invention.

What is claimed is:
 1. A data recovery system, comprising: a pluralityof customer computers to be backed-up, each customer computer running aclient software to communicate back-up data files including generating afirst sub-file signature for one or more segments of a changed file; andsubsequently generating another sub-file signature for each file segmentand comparing them to detect insertions, removals, or rearrangements ofdata in the file and storing a plurality of signatures for each filelocally on the computer representing the latest state of each fileuploaded to a server; and transmitting one more changed segment(s) inthe file, writing a manifest file reflecting the new target state as anincremental backup; compressing, encrypting and transmitting the changedsegment through a Web-based Distributed Authoring and Versioningapplication program interface; expanding one or more patch sets andsaving the patch sets with the file system to provide an incrementalbackup while generating a full backup; taking a snapshot after a fullbackup providing for a version history; mapping the file data and metadata to an arbitrary file system; and saving one or more snapshots ofthe meta data on the distributed meta data store for a subsequentreconstructing of files for the arbitrary file system; a systemmanagement platform coupled to the client software over the Internet,the system management platform receiving inputs from a web user portalto control operations of the client software and the system managementplatform to back up the customer computer; and two or more data storagesilos, each including: a plurality of storage directors communicatingwith the client software; and a clustered data storage array, whereinthe data storage array comprises Redundant Array of Independent Nodes(RAIN) 6 storage nodes that ensures that even if two storage nodes godown that data is still available and RAIN protects a node, or server,cluster from failure.
 2. The system of claim 1, comprising a backendmonitoring system.
 3. The system of claim 1, comprising a metrics andbilling system.
 4. The system of claim 1, wherein the storage directorcomprises routers, load proxy units coupled to the routers, and serverscoupled to the load proxy units.
 5. The system of claim 1, wherein eachdata storage silo comprises a shared-nothing geographically disperseddata center.
 6. The system of claim 1, wherein the client softwarecommunicates using Web-based Distributed Authoring and Versioning tocollaborative updating and management of files on remote web servers andwherein the client software selects the number of threads.
 7. The systemof claim 1, wherein the client software comprises a configurableparallelism selection for multi-processor efficiency and high latencyconnections, or for backing up NAS/SAN or RAID arrays with multipledisks.
 8. The system of claim 1, wherein the data storage siloscomprises a pair of head nodes and a plurality of storage nodes.
 9. Thesystem of claim 8, wherein each storage node comprises a computer withan open sourced operating system and one or more data storage devices.10. The system of claim 8, comprising an on-disk encryptor to generateclear text and sent over an Internet Small Computer System Interface(iSCSI).
 11. The system of claim 10, wherein iSCSI traffic is loadbalanced and fails over network links and connected to a plurality ofswitches.
 12. The system of claim 10, wherein iSCSI data comprise wholedisk mappings and wherein the head nodes create RAID stripes across thestorage nodes.
 13. The system of claim 10, wherein one head node is astandby head that, upon failure of the other head node, imports alliSCSI targets, takes over a file system and virtual IP addresses andresumes operation in a fail-safe manner.
 14. The system of claim 1,comprising a user interface to restore files through a group consistingof: the client software, a web based file browser replicating a look andfeel of a native file explorer, and a remote data drive at the datastorage silo acting as a local drive and mounted by a user.
 15. Thesystem of claim 1, wherein the web user portal includes modules tomanage, configure, recover and report on data protection jobs.
 16. Thesystem of claim 1, comprising a database backup connector thatautomatically checkpoints a database, writes a current copy, detects anduploads sub file changes and allows for a local copy to be saved on adirect attached or network attached file system.
 17. The system of claim1, comprising a module to create and replicate NetApp snapshots andrecreate the snapshots identically on (Original) The system backendservice.
 18. The system of claim 1, comprising a local drivesynchronized with the data storage silo to maintain a local copy ofback-up data.